Iranian cyber espionage operations exposed via Telegram channels and Dark Web websites

• The MuddyWater leak contained images of the source code, C&C server backends, and images listing victims’ IP addresses.
• The Rana Institute leak revealed insights on the attacks that were carried out on Israeli airlines' databases, insurance companies, hotel booking websites, and Israeli Ministry of Agriculture.

Two new leaks on Iranian cyber espionage operations have been published online via Telegram channels and websites on the Dark Web.

What is exposed in the two new leaks?

• The first leak exposes operational data from the MuddyWater hacking group.
• The second leak reveals information about a new group identified in official Iranian government documents as the Rana Institute, which is currently not linked to any known Iranian cyber-espionage group.

About the MuddyWater leak

The Green Leakers group claims to own information about the MuddyWater cyber-espionage group. The group is selling data from the MuddyWater APT group on two Telegram channels and two Dark Web portals.

Since the data was put up for sale, the leakers did not release any tools for free. However, they posted the following,

• Images showing the source code of a C&C server used by the MuddyWater APT group.
• Images of MuddyWater C&C server backends
• Images of unredacted IP addresses of some of MuddyWater's victims.

About the Rana Institute leak

The Rana Institute leak which was written in Persian was published on a website on the public Internet and on a Telegram channel.

Green leakers published excerpts from documents labeled “secret” from the Iranian Ministry of Intelligence. The excerpts contained details of the Rana Institute which is a contractor hired for cyber-espionage operations. The details include,

• Activities of Rana Institute
• Cyber attack strategies
• List of employees
• List of victims
• Personal details of Rana Institute members
• Details on past campaigns
• Targeted countries
• Screenshots from internal websites

According to the leaked documents, the targeted countries include Sri Lanka, India, UAE, Dubai, Thailand, Philippines, Hong Kong, Malaysia, Indonesia, Egypt, South Africa, New Zealand, Australia, and Colombia, among others.

Worth noting

“The documents shed light on some aspects of the group's activity, notably: tracking Iranians, tracking Iranian citizens outside of Iran, and the group's members,” ClearSky said in a report.

The leak also revealed insights on the attacks that were carried out on Israeli airlines' databases, insurance companies, hotel booking websites, and Israeli Ministry of Agriculture.

Unlike the MuddyWater leak, this leak has been verified by security researchers with ClearSky Security.